The power industry has unique technical needs in addressing cyber security - NOT!

Oct. 31, 2014

The Convenor of IEC TC57 WG15 sent a note to ISA99 stating that the power industry organizations have additional or different security situations that are causing us to create our own security standards and guidelines. Other than for compliance reasons (NERC CIP), the power industry is NOT different than other industries in securing industrial control systems.

The convenor of IEC TC57 Working Group 15, Data and Communication Security, sent the following note to ISA99. “As the convenor of IEC TC57 WG15, …I know some utilities have referenced the ISA 99 documents, but the power industry organizations have additional or different security situations that are causing us to create our own security standards and guidelines.”

I am very concerned about those statements concerning the uniqueness of the power industry because I do not believe it is unique except for addressing compliance requirements set forth in the NERC CIPs. Much of my career was in the power industry. I have been a member of IEC TC57 WG15 since the early 2000’s. I am a member IEC TC65 WG10 (process control system cyber security), a designated US expert to IEC TC45A (nuclear plant cyber security), the Managing Director of ISA99, and involved in various IEEE and CIGRE committees on cyber security of electric systems.

Since I first helped start the EPRI control system cyber security (EIS) program in 2000, I felt it was important to reach out to other industries as they use the same/similar equipment and have the same cultural and technical cyber issues. Moreover, SCADA is used by many other industries than just electric; electric substations are used by other industries than just electric utilities; and power plants (regardless of power source) are process plants with the same equipment. What we were trying to avoid was having vendors build systems specific to each industry strictly for cyber security reasons. That is a vendor having to supply an electric industry PLC, a water industry PLC, a pipeline industry PLC, etc. even though the functional needs were the same. The end-result could be more inventory, additional training, …This was the rationale for working with NIST in the 2000/2001 time frame to initiate the Process Controls Security Requirements Forum (PCSRF) that eventually became ISA99. ISA99 was a deliberate decision within the various ISA industry departments to form an international, cross-industry standards committee specifically for ICS because of the commonality of ICS cyber security issues across all industries. However, there has been, and continues to be, very little participation from the electric power and nuclear plant utility personnel on ISA99.

I am not the only one to take exception to the convenor’s statement. The co-chair of ISA99 has said:

“I have heard statement of this type made by representatives of several different sectors, but most commonly from the electricity sub-sector of Energy. What I have not heard are any specifics or tangible and practical examples of exactly what makes these sectors and sub-sectors so "different." I could certainly speculate, but I don't believe that is appropriate. I believe that the onus is on the person making such an assertion to provide supporting evidence and/or examples. Without getting into too many details I can see a potential for differences to exist between major types of manufacturing or industrial processes, irrespective of where or by what sector(s) they are used. For example, there may be differences that are characteristic of discrete manufacturing as opposed to the continuous processing or batch processing. However, in many companies (such as mine) we have all three of these process types. The more important question in my mind is whether electrical generation and transmission (individually or together) represent a sufficiently different type of industrial process to justify a tailored response. Even if it does I have a hard time accepting that the differences are so fundamental that a completely different set of standards are required. Surely there is common ground that can be shared and developed across process types.”

Another contributor to the ISA99 committee has expressed similar views:

“Based on my former experience of Chief technology officer of the ALSTOM Group, it seems to me that there are no significant differences between power generation/transmission and other industries. It is more a question of culture and tradition. On the other hand, I believe that the distribution sector raises very specific issues. With smart meters, and smart grids in general, we are facing a problem of different nature. With millions of entry points, we have a SUC which is evolving every day, the limits of which are not well known and which is impossible to control point by point. This is the problem of IoT cyber-security. The zones and conduits paradigm is no longer applicable and new approaches have to be developed. But once again, as regards power generation, and even transmission, I see no major specificities.”

I hope the convenor of TC57 WG15 and others who have espoused the uniqueness theory will reconsider their stance as it is not helping to secure the power industry.

Joe Weiss